Some Hints for the Design of Digital 
Chaos-Based Cryptosystems: Lessons 
Learned from Cryptanalysis 
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Abstract: In this work we comment some conclusions derived from the analysis of recent 
proposals in the field of chaos-based cryptography. These observations remark a number of 
major problems detected in some of those schemes under examination. Therefore, this paper is 
a list of what to avoid and to pay special attention to when considering chaos as source of new 
strategies to conceal and protect information. 
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1. INTRODUCTION 

The core of digital chaos-based cryptography is the selec- 
tion of a good chaotic map for a given encryption scheme. 
Actually, the presence of chaos does not guarantee the 
security of an encryption algorithm (Kocarev, 2001). A 
good digital cryptosystem based on chaos should not be 
just the concomitance of a chaotic map and an encryption 
architecture, but the result of their synergical association. 
Indeed, the quality of a chaotic map for cryptography must 
be evaluated not just with considerations on its dynamic 

■ properties, but also with considerations on the needs of 

■ the sustaining encryption architecture. In other words, 
, from a general point of view it is not possible to design 

■ chaotic cryptosystems satisfying the chaotic- system- free 
'property (Li, 2003, p. 30) and, as a result, the selection 

of a certain encryption scheme demands the selection of a 
group of chaotic maps satisfying a certain set of dynamical 
properties. Finally, digital chaos-based cryptography is 
implemented on computers and thus the problem derived 
from finite-precision computation must be evaluated and 
conveniently handled during the design stage. This work 
illustrates the problems with three elements involved in 
the design of digital chaos-based cryptosystems, i.e., the 
selection of a chaotic map (Sec. 2), the selection of an 
encryption architecture (Sec. 3) and the implementation 
of the encryption system (Sec. 4). 
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2. PROBLEMS WITH THE SELECTION OF THE 
CHAOTIC SYSTEM 

Problem 1. Definition of the key leading to non- 
chaotic behavior. In some chaos-based cryptosystems 
the control parameters of the underlying chaotic systems 
are determined by the secret key. If the link between the 
secret key and the control parameters is not established 
carefully, then it is possible that the underlying chaotic 
system evolves in an non-chaotic way, which further erodes 
the confusion and diffusion properties required by the 
resulting cryptosystem. 

The chaotic systems used as base of cryptosystems are 
defined in a parametric way such that their dynamics 
depends on one or several control parameters. Moreover, 
those chaotic systems are dynamical systems which show 
a chaotic behavior for certain values of the associated con- 
trol parameter(s). Therefore, the design of a cryptosystem 
based on any of those dynamical systems must be done by 
guaranteeing the use of the set of values for the control 
parameter(s) leading to chaos. Otherwise, the underly- 
ing dynamical system associated to the cryptosystem (or 
encryption system) evolves non-chaotically, which implies 
the reduction of the level of entropy in the ciphertext (i.e., 
the output of the cryptosystem) and of the influence on the 
ciphertext of a change in the plaintext (i.e., the input of 
the cryptosystem). This problem is specially relevant when 
the design of the cryptosystem is based on a dynamical 
system with chaotic behavior only for a set of disjoint 
intervals of values of the control parameter(s). This is the 
case of the logistic map and the Henon map, which have 
been used in (Pareek et al., 2003) and in (Chee and Xu, 
2006) respectively without a thoroughly analysis of their 
dynamics (Alvarez et al., 2003a; Arroyo et al., 2008b). As a 
conclusion, it is highly advisable to use dynamical systems 
with chaotic behavior for all the values of the control 



parameter (s). That is, robust chaotic systems (Banerjee 
et al., 1998) should be used mstead of nonrobust ones. 

Problem 2. Nonuniform probability distribution fun- 
ction. In some chaos-based encryption architectures the 
confusion and/or diffusion properties depends on the prob- 
abihty distribution function of the orbits derived from the 
selected chaotic systems. If that distribution is not uniform 
and independent of the value(s) of control parametcr(s), 
then the quality of the diffusion process is reduced. 

The iteration of a chaotic map can be used to generate 
pseudo-random sequences to encrypt the plaintext. The 
encryption procedure could be performed by different 
ways, but all of them demand the cquiprobability of all the 
states contained in the pseudo-random sequences. If this 
requirement is not satisfied, then the conditional entropy 
of the ciphertext with respect to the plaintext may be large 
enough to leak information about relationships between 
the output and the input of the target cryptosystem (see 
the entropy attack in (Alvarez et al., 2003c)). This effect is 
specially significant for image encryption, as pointed out 
recently by Li et al. (2007) (see Fig. 5 of their paper). 
As a remedy, chaotic maps with a uniform probability 
distribution function should be selected as base of this 
kind of cryptosystems, being the family of piecewise linear 
chaotic maps (Li et al., 2005) a good option. 

Problem 3. Return map reconstruction. The cipher- 
text of some cryptosystems make it possible to reconstruct 
a return map of the underlying chaotic system. If such a 
return map is meaningful, then an attacker may be able to 
infer the value(s) of the control parameter(s) that govern 
the evolution of the chaotic system. 

The most direct way to estimate the control parameter(s) 
from a chaotic orbit is to plot Xn+i versus a;„, which is 
actually the chaotic map itself. If this representation shows 
a simple fimction between Xn+i and Xn, then it could be 
possible to infer the control parameter. In (Skrobek, 2008) 
a chosen-ciphertext attack is used to build a discretized 
version of the logistic map which further leads to the 
estimation of the control parameter. One solution against 
this kind of attack is to shuffle/truncate the chaotic orbit 
before using it for encryption, which randomizes the plot 
of the the return map. 

3. PROBLEMS WITH THE ENCRYPTION 
ARCHITECTURE 

Problem 4- Bad definition of the ciphertexts. A bad 

definition of the ciphertext derived from a chaos-based 
cryptosystem could allow the estimation of the initial 
condition(s) and/or the control parameter(s) of the im- 
derlying chaotic system. This problem is present in some 
chaos-based cryptosystems whose ciphertext is given by 
fragments of orbits, sampled versions of the orbits, or 
discretized versions of the orbits of the underlying chaotic 
systems. 

A iV-dimensional discrete-time chaotic map is defined by 
the rule of evolution 

x„+i = /a(x„), (1) 
and, as a result, the ciphertext can not be the orbits of 
the map since it may allow the estimation of A from + 1 



or a bit more consecutive units of ciphertext (see (Arroyo 
et al., 2008c)). If the invariant set of the chaotic map has a 
size dependent on the control parameter (s), even sampled 
versions of the orbits may allow the estimation of the 
control parameter(s). This is the case of the cryptosystems 
reported in (Garcia and Jimenez, 2002; Pisarchik et al., 
2006) and cryptanalyzed in (Alvarez et al., 2003b; Arroyo 
et al., 2008d). Finally, the theory of symbolic dynamics 
can be used when the ciphertext allows to get the symbolic 
sequences of the orbits of a chaotic map (see (Alvarez et al., 
2003a; Arroyo et al., 2008a)). 

Problem 5. Efficiency of the cryptosystem depend- 
ing on the value of the key. If the encryption and 
decryption times depend on the key or a sub-key, then a 
timing-attack can be performed to estimate the (sub-)key. 

Some encryption architectures perform the transformation 
of the plaintext into the ciphertext through several en- 
cryption rounds. Additionally, in each encryption round 
a chaotic map is iterated n times. Since the encryption 
and decryption time has to be constant and independent 
of the value of the key, it is not a good practice to select 
the number of encryption rounds and n as part of the key. 
Otherwise, a timing-attack based on the analysis of the 
encryption and decryption time can be used for the partial 
estimation of the secret key (see (Arroyo et al., 2008d)), 
which is a serious security flaw. Instead, the number of 
encryption rounds and the number of iterations of the map 
should be public parameters of the cryptosystem. 

Problem 6. Faulty derivation of the parameters of 
the chaotic system from the key. In some chaos- 
based cryptosystems the key is used to derive the values of 
the parameters necessary to iterate a chaotic system and 
finally encrypt the information. If this mapping implies a 
reduction of the key space, i.e., that it is only used a subset 
of the possible values of those parameters, then a brute- 
force attack on the values of the parameter could be much 
less demanding than the one on the secret key. 

One important step in the design of a chaos-based cryp- 
tosystem is to decide what the key is. One possibility is to 
use the control parameter(s) and the initial condition(s) 
of the underlying chaotic system(s) as the secret key or 
as part of the secret key. Another option is to establish 
the values of the control parameter (s) and the initial 
condition(s) of the map(s) from the secret key through a 
certain function. In this sense, it must be assured that the 
image set of that function is the whole set of possible values 
of the control parameter (s) and the initial condition(s). 
Otherwise, a brute-force attack can be performed on the 
reduced space of control parameter(s) and initial condition 
values with a lower computational cost than the one on the 
key space. A cryptosystem with this problem was intro- 
duced in (Pareek et al., 2003) and was later cryptanalyzed 
in (Alvarez et al., 2003a). 

Problem 7. Encryption procedure equivalent to a 
mapping only dependent on the key. If the transfor- 
mation of the plaintext into the ciphertext is determined 
by a procedure equivalent to a mapping only dependent 
on the key, then known/chosen-plaintext attacks may be 
performed to reconstruct the transformation procedure. 



In some encryption schemes the transformation of the 
plaintext into the ciphertext is leading cither by a proce- 
dure derived using only the key, or by a sampling process 
on a sequence of values generated using only the key. In 
those situations, it could be possible to estimate either 
the key or to make up some function somehow equivalent 
to the encryption procedure. For example, if the encryp- 
tion procedure consists of searching plaintexts in pseudo- 
random sequences generated by iterating a chaotic map, 
since the pseudo-random sequence remains unchanged un- 
less the key is modified, then it is possible to reconstruct 
the pseudo-random sequence through a chosen-plaintext 
attack (see (Alvarez et al., 2004a, b)). This problem also 
exists in those schemes where the encryption procedure 
consists of a permutation-only stage which is fixed unless 
the control parameter(s) and initial condition(s) change, 
i.e., unless the the secret key is updated (see (Li et al., 
2008b) for a general qualitative analysis of this attack). 
As a conclusion, the encryption function that transforms 
a unit of plaintext into a unit of ciphertext should depend 
on the key and on the whole plaintext. 

4. IMPLEMENTATION PROBLEMS 

Problem 8. Non-invertible encryption procedure. The 

iteration of the chaotic systems sustaining chaos-based 
cryptosystems implies working with real numbers. Since 
the implementation of chaos-based cryptosystems is done 
with finite precision arithmetic, round-off operations could 
lead to a non-invertible encryption procedure. 

One critical point when working with dynamical systems 
and the analysis of their dynamics is the selection of a right 
simulation framework. Indeed, the computer-based analy- 
sis of dynamical systems could lead to some conclusions 
different from those expected from theory. This divergence 
also influences and conditions chaos-based cryptosystems. 
Thus, if the characteristics and problems of finite-precision 
are not handled properly, then it is possible that the 
orbits generated as base of encryption procedure can not 
be regenerated exactly during the decryption stage and, 
consequently, the original plaintext can not be recovered 
even when the key is known. This problem is not only 
relevant for fixed-point arithmetic but also for floating- 
point one. Indeed, the round-off quantization errors could 
lead to the occurrence of a non-invertible function for 
encryption and, as a result, the decryption process will be 
impossible (see the cryptanalysis work in (Alvarez et al., 
2007; Arroyo et al., 2008b,d; Solak and gokal, 2008)). 
Problem 9. Dynamical degradation. The implementa- 
tion of chaotic systems in finite precision in digital com- 
puters leads often to dynamical properties completely 
different from the theoretical and expected ones. If this 
deviation is not considered during the design of chaos- 
based cryptosystems, it could imply a reduction of the 
performance and even a compromise of the security of the 
resulting cryptosystcm. 

This problem is closely related to the previous one, al- 
though the point of interest moves to degradation of dy- 
namical properties of the implemented chaotic system with 
respect to the theoretical model. Consequently, the design 
of an encryption scheme using a chaotic system must be 
done by considering its practical implementation (not only 



the theoretical model). In (Alvarez and Li, 2006) some 
consequences of the dynamical degradation of a chaotic 
map arc shown in the context of cryptography, whereas in 
(Li et al., 2005) one can find a thorough analysis of the 
dynamical degradation of a specific chaotic map and some 
ways to overcome this problem. 

Problem 10. Lack of details in the description. Ac- 
cording to Kcrckhoffs' principle, the security of a cryp- 
tosystcm can not be based on the secrecy of its encryption 
and decryption procedures. Furthermore, the key of any 
cryptosystem has to be easy to establish and to exchange, 
and the key space must be defined in an explicit and clear 
way. 

The consecution of security through obscurity is something 
to avoid when designing an encryption scheme. All the op- 
erations involved in the encryption/decryption procedures 
must be verbosely explained, and the secret key must be 
clearly specified along with an exact estimation of the size 
of the key space. The security of the cryptosystem must 
be only related to the difficulty of guessing the key, and it 
can not depend on the lack of knowledge about the inner 
operating of the encryption and decryption procedures. 
Moreover, this lack of details implies a lack of security 
because without a careful investigation of the whole cryp- 
tography community many security holes might not be 
able to distinguished by the designers themselves. Refer 
to (Arroyo et al., 2008b) and (Li et al., 2008a) for a pair 
of examples. 

5. CONCLUSIONS 

As a result of all the cryptanalysis work in the field 
of chaos-based cryptography, we must conclude that the 
design of new strategies of encryption using chaos must 
be based on a good background on the theory of dynam- 
ical systems. In addition, cryptanalytic knowledge about 
previous proposals and the restrictions related to practi- 
cal implementations on finite-precision machines must be 
carefully studied and handled. A cryptosystem is a chain 
composed of many links, whose security is determined by 
the weakest link, and cryptanalysis is the art of finding 
out the weakest link. 
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